Add temp rule to log all traffic

Add temp rule to log all traffic

Post by Harry Putna » Tue, 17 Apr 2001 10:15:37



I'm a little stumped on syntax here.

These rules and there concomitant (delete) rules, will allow traffic
on a specific port and log it:

    ipchains -I output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $UNPRIVPORTS \
             --destination-port 25 -j ACCEPT -l

    ipchains -I input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
             --source-port 25 \
             -d $IPADDR $UNPRIVPORTS -j ACCEPT -l

How can I alter these to allow, and log *all* traffic on any port?

Is it just  `--source-port /0' or something similar?

Can I just invent a variable like ALL_PORTS="0:72000" (or whatever the
highest is?   Then do something like this for input and output?

   ipchains -I output -i $EXTERNAL_INTERFACE -p tcp  \
             -s $IPADDR $ALL_PORTS \
             --destination-port ALL_PORTS -j ACCEPT -l

I don't really want to practice with this.  But need to be pretty
close to working on the first go around.

 
 
 

Add temp rule to log all traffic

Post by Manfred Bart » Tue, 17 Apr 2001 11:21:49



> I'm a little stumped on syntax here.

> These rules and there concomitant (delete) rules, will allow traffic
> on a specific port and log it:

>     ipchains -I output -i $EXTERNAL_INTERFACE -p tcp  \
>              -s $IPADDR $UNPRIVPORTS \
>              --destination-port 25 -j ACCEPT -l

>     ipchains -I input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
>              --source-port 25 \
>              -d $IPADDR $UNPRIVPORTS -j ACCEPT -l

> How can I alter these to allow, and log *all* traffic on any port?

If you *don't specify* a port the rule will match *all* ports.

Quote:> Can I just invent a variable like ALL_PORTS="0:72000" (or whatever the
> highest is?   Then do something like this for input and output?

No need to.  BTW, the highest port number is 2^16 - 1 = 65535

  ipchains -I output -i $EXTERNAL_INTERFACE \
           -p tcp -s $IPADDR -j ACCEPT -l

Cheers
--
Manfred
---------------------------------------------------------------
ipchainsLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>
     NEW: <http://logi.cc/linux/NetfilterLogAnalyzer.php3>

 
 
 

Add temp rule to log all traffic

Post by Michae » Wed, 02 May 2001 08:00:43


Just don't do it...  You may have enormous logs depending on how much
traffic you have to that port.



> I'm a little stumped on syntax here.
> These rules and there concomitant (delete) rules, will allow traffic on
> a specific port and log it:

>     ipchains -I output -i $EXTERNAL_INTERFACE -p tcp  \
>              -s $IPADDR $UNPRIVPORTS \
>              --destination-port 25 -j ACCEPT -l

>     ipchains -I input  -i $EXTERNAL_INTERFACE -p tcp ! -y \
>              --source-port 25 \
>              -d $IPADDR $UNPRIVPORTS -j ACCEPT -l
> How can I alter these to allow, and log *all* traffic on any port?  Is
> it just  `--source-port /0' or something similar?  Can I just invent a
> variable like ALL_PORTS="0:72000" (or whatever the highest is?   Then do
> something like this for input and output?
>    ipchains -I output -i $EXTERNAL_INTERFACE -p tcp  \
>              -s $IPADDR $ALL_PORTS \
>              --destination-port ALL_PORTS -j ACCEPT -l
> I don't really want to practice with this.  But need to be pretty close
> to working on the first go around.

 
 
 

1. ipfwadm logging rules don't log!

Hi,

I have a set of ipfwadm rules for a machine whose purpose is to accept
everything, but log certain packets that are accepted.  I can't seem to
figure out why it isn't logging.  Does anyone have any ideas?

Here is the script that sets up the ipfwadm rules:

# Some definitions
IPFWADM="/sbin/ipfwadm"
LOCALHOST="128.100.193.0/255.255.254.0"
ANYWHERE="any/0"
UNPRIVPORTS="1024:65535"

# The rules.

# Default to deny

$IPFWADM -I -p deny
$IPFWADM -O -p deny
$IPFWADM -F -p deny

# First, unlimited outputs and forwards.

$IPFWADM -O -a accept -P tcp
$IPFWADM -O -a accept -P udp
$IPFWADM -O -a accept -P icmp

$IPFWADM -F -a accept -P tcp
$IPFWADM -F -a accept -P udp
$IPFWADM -F -a accept -P icmp

# Next, all things we don't log.

$IPFWADM -I -a accept -P tcp -S $ANYWHERE 113 -D $LOCALHOST
$IPFWADM -I -a accept -P tcp -S $ANYWHERE 139 -D $LOCALHOST
$IPFWADM -I -a accept -P tcp -S $ANYWHERE 22 -D $LOCALHOST
$IPFWADM -I -a accept -P tcp -S $ANYWHERE 9999 -D $LOCALHOST

$IPFWADM -I -a accept -P udp -S $ANYWHERE 520 -D $LOCALHOST
$IPFWADM -I -a accept -P udp -S $ANYWHERE 138 -D $LOCALHOST
$IPFWADM -I -a accept -P udp -S $ANYWHERE 137 -D $LOCALHOST
$IPFWADM -I -a accept -P udp -S $ANYWHERE 68 -D $LOCALHOST
$IPFWADM -I -a accept -P udp -S $ANYWHERE 67 -D $LOCALHOST

# Now log anything else that comes in and is destined for me

$IPFWADM -I -o -a accept -P tcp -D $LOCALHOST
$IPFWADM -I -o -a accept -P udp -D $LOCALHOST

# Don't bother to log icmp since we can't differentiate by type/code

$IPFWADM -I -a accept -P icmp

2. Very Slow Fibre Channel

3. How Close is the Mobo temp to the CPU temp????

4. PPP setup RedHatLinux 4.2

5. iptables rule to block FTP-NAT-Helper-Traffic

6. NSLookup

7. Firewall rule to allow DNS traffic?

8. Upgrade from RH7.0 -> RH7.1 ... ?

9. Linux ipchain rules for ICMP traffic?

10. When are 'egress' traffic shaping rules applied?

11. iptables, "established" rule for NFS traffic

12. scsi log sense needed for disk internal temp

13. What rule do I add to /etc/sysconfig/ipchains for yahoo chat from clients